Go Back  FlyerTalk Forums > Miles&Points > Airlines and Mileage Programs > Cathay Pacific | Marco Polo Club
Reload this Page >

9.4 million passengers’ data stolen from CX

9.4 million passengers’ data stolen from CX

    Hide Wikipost
Old Nov 1, 18, 1:34 pm   -   Wikipost
Please read: This is a community-maintained wiki post containing the most important information from this thread. You may edit the Wiki once you have been on FT for 90 days and have made 90 posts.
 
Last edit by: kaka
Wiki Link
Cathay Pacific information site:
https://infosecurity.cathaypacific.com/en_HK.html

If you want to hold CX to legal standing for the loss of private data, the best shot would be using EU GDPR regulations:
What to write to DPO/CX ([email protected]) according to EU GDPR in very short... (ref #177)
(if CX is seen as a HK company, then EU GDPR would apply to all EU Citizen inc valid and expired (not renounced) BNO Holders; and if CX is seen managed by John Swire & Sons Ltd in the UK via Swire, then Data Protection Act 2018 (of UK) which includes GDPR would apply to EVERYONE)
  • ask for data that CX hold on you
  • highlight specifically which data was lost
    (there's a few things you could ask them according to GPDR... refer to the website)
They have 1 month to respond or they will have to give you a reasonable timeframe where they have to respond by within the 1 month before you can go to ICO.

If you are seeking compensation from CX the loss of private data, the following sites are dealing with class action against CX (not a legal advise)
Print Wikipost

Reply

Old Oct 25, 18, 4:16 am
  #61  
 
Join Date: May 2006
Location: HKG
Programs: A3, TK *G; JL JGC; SPG,Hilton Gold
Posts: 9,832
Originally Posted by ermen View Post
Some questions that I am unclear about

1. Does this only affect MPO / AM members / registered account members or are guests affected?
2. Only revenue fares or AM /redemptions or both?
2. Are third party (eg Expedia ) bookings affected
3. Even better are CX redemption via OW affected

I haven't received any email, because I don't generally book CX revenue. But have booked a few redemption using AM and BAEC
i got compromised. my last cash ticket... i dont remember. perhaps one lny before feb2015
kaka is offline  
Reply With Quote
Old Oct 25, 18, 4:34 am
  #62  
 
Join Date: Dec 2001
Location: China
Posts: 1,478
Nothing for me yet.

For those who had HKID/ passport/ birth day/ name/ email/ address taken - eek. Would be surprised if there haven't been phishing attempts on high value targets
peasant is offline  
Reply With Quote
Old Oct 25, 18, 4:47 am
  #63  
 
Join Date: Jan 2006
Programs: AAdvantage Asia Miles Air China
Posts: 547
I find it impossible to trust anything CX says on this. I also must be careful as data is my business, not IT, but information for Capital Markets.

These are some points which I feel must make people think:

  • The data stolen is not the same for everyone, this implies a huge issue in terms of accessability and CX IT infrastucture. System access, storage and integrity are seriously compomised
  • To employ a negative, CX may know what was taken but they probably do not know everything that was taken
  • At the moment personal data security is structured by types on a layered basis in a simplistic interogation environment, so it is about the combinations of data stolen. People with IDs and Dates of Birth being taken are at a high risk, however, a determined criminal can add value to the stolen data by going to social media. If I know who a person is and have other data, then things like Facebook are going to offer up missing information
  • Also CX has not stated if status has been taken as well. Knowing this allows criminals to prioritise targets
  • CX has only given the bare minimum of information and applied obfuscation, things like "We have no evidence of" and so on, it is the get of gaol card. They are probably too incompetant to actually know how to find evidence, and equally from a previous post we can see CX are likely to be wrong about knowing what data for each client they have lost
  • Appalling data governance, though more likely non-existent data governance, if this had happened at a Bank I know exactly what would happen and when
While the above is rather negative, those losing higher risk data will need to think about impacts. Experian can only do so much.

And comparing to BA, they had 400K customers details taken, CX lost 9 Million more or 23.5 times more. Impressive in its negligence.

Back to my mantra, CX and technology, 'Where the intelligence is virtual'
Mr. Strong, kaka, G-CIVC and 3 others like this.

Last edited by Nicc HK; Oct 25, 18 at 4:59 am
Nicc HK is offline  
Reply With Quote
Old Oct 25, 18, 4:59 am
  #64  
 
Join Date: Nov 2013
Location: Places
Programs: CI Paragon, Bonvoy Ambassador Elite
Posts: 164
Originally Posted by kaka View Post

i got compromised. my last cash ticket... i dont remember. perhaps one lny before feb2015
Similar here, my last was in 2013. They got my address, email, name, and title. Travel document was stored.
gracall is offline  
Reply With Quote
Old Oct 25, 18, 5:25 am
  #65  
 
Join Date: May 2006
Location: HKG
Programs: A3, TK *G; JL JGC; SPG,Hilton Gold
Posts: 9,832
Originally Posted by txflyer77 View Post
https://twitter.com/benjaminbland/st...331503616?s=21

Cathay is directing questions to an unverified twitter account. What a clown show.

https://twitter.com/cathaypacific/st...444854273?s=21
Has anyone been told the travel history has been compromised
kaka is offline  
Reply With Quote
Old Oct 25, 18, 5:29 am
  #66  
 
Join Date: Apr 2001
Location: HK
Programs: QF Emerald. CX Nobody
Posts: 2,620
very strange timing but my CX Elite card was used fraudulently over the weekend Amex called.about it and i had to cancel the card...

today i see this. .i know theft was 7mths ago ....but.. what a.coincidence
fakecd is offline  
Reply With Quote
Old Oct 25, 18, 5:40 am
  #67  
 
Join Date: Jul 2011
Location: HKG
Programs: BA Silver, M&M
Posts: 935
One of my family members just received the email that the following were taken (less bad than others..?):

- address
- name
- title

I have not received an email yet relating to my own data. Neither of us are MP, but both have an AM account.
go_around is offline  
Reply With Quote
Old Oct 25, 18, 6:11 am
  #68  
 
Join Date: Jan 2011
Location: HKG/YVR
Programs: MPO, Aeroplan, SPG
Posts: 65
Originally Posted by blum81 View Post
What MP status are you?

My wife is at gold and parents are at silver but neither of them received the email.

Wonder if they are they really sending emails out according to MP levels? lol.
My wife has no status, just Asia Miles member and received the e-mail at around 18:05. I received nothing
BryanL is offline  
Reply With Quote
Old Oct 25, 18, 6:17 am
  #69  
 
Join Date: Jun 2005
Location: HKG
Posts: 1,062
Anyone subscribing to their identity monitoring service with experian? Wonder if it's effective or more giving your personal data to another 3rd party.

http://www.globalidworks.com/identity1
hkskyline is offline  
Reply With Quote
Old Oct 25, 18, 6:37 am
  #70  
 
Join Date: Apr 2004
Location: Tokyo, Vancouver, Hong Kong, Dublin
Programs: CX DM
Posts: 854
Originally Posted by hkskyline View Post
Anyone subscribing to their identity monitoring service with experian? Wonder if it's effective or more giving your personal data to another 3rd party.

http://www.globalidworks.com/identity1
yes a bit wary of it too. but gave it my email addresses, credit card number, etc. since my data is out there anyway. and got back the attached basically right away. not sure if how much of the "dark web" it can scan. just hope experian itself doesnt get hacked.

marcuslai is offline  
Reply With Quote
Old Oct 25, 18, 6:49 am
  #71  
 
Join Date: Feb 2008
Location: Hong Kong
Programs: CX DM
Posts: 187
Originally Posted by hkskyline View Post
Anyone subscribing to their identity monitoring service with experian? Wonder if it's effective or more giving your personal data to another 3rd party.

http://www.globalidworks.com/identity1
They took this:
  • Email Address
  • HKID Number
  • Name
  • Nationality
  • Telephone Number
  • Title
and so I subscribed and the service told me that my email had been compromised twice in July and August...but as far as CX was concerned "We have no evidence that any personal data has been misused" !! Apparently, Im supposed to "change the password for the email address that was found compromised" but there are no details of the accounts on the service. This could be messy

Last edited by clazza; Oct 25, 18 at 6:58 am Reason: grammar
clazza is offline  
Reply With Quote
Old Oct 25, 18, 7:37 am
  #72  
 
Join Date: May 2006
Location: HKG
Programs: A3, TK *G; JL JGC; SPG,Hilton Gold
Posts: 9,832
my gf lost her hkid and name. great....
kaka is offline  
Reply With Quote
Old Oct 25, 18, 7:52 am
  #73  
 
Join Date: Sep 2013
Posts: 525
Guys, I doubt status has anything to do with when you're getting it. It's just a matter of how the query is run and when they load the mail server to send it out.

Something to keep in mind. By accepting their identity theft protection, you could possibly by absolving CX of any responsibility they have to you. If you do want to be compensated somehow, you should read the T&Cs before accepting their identity theft protection.
LoveHateRelationship is offline  
Reply With Quote
Old Oct 25, 18, 7:54 am
  #74  
 
Join Date: Sep 2014
Location: DTW - Rochester Hills, MI
Programs: Cathay MPC, IHG Spire
Posts: 471
To those that have received the emailed notification, can one of you confirm if it comes from the same Marco Polo email address? I want to make sure my spam filters whitelist the address if it is something different.
Gongzuokuang is offline  
Reply With Quote
Old Oct 25, 18, 8:19 am
  #75  
 
Join Date: Nov 2017
Location: HKG
Programs: CX, BA
Posts: 69
Surprisingly calm when reading this. Prob becoz my name, address, ID bla bla bla were already leaked when HK gov lost the computer containing all HK voter's information. Not particularly crossed if/when CX leaked those again. But why do they announce this 5 months after confirming such incident? In March, It still kind of reasonable not to announce to the public when they 'suspected' such leakage. It is hard to see any legitimate reason to remain silence for 5 months after knowing such colossal data leakage.
FlyPointyEnd likes this.
marcommm is offline  
Reply With Quote

Thread Tools
Search this Thread